Mreza 6 racunara i MTRB 750 da li je ok podesavanje i saveti

[ Phaseshifter @ 03.04.2010. 22:37 ] @

Evo ovako imam mrezu od 6 racunara koja dolazi na Mikrotik router board 750 koji je prikljucen na kablovski net. Da ne bi pisao previse kako mreza izgleda evo seme.

Kao sto se vidi po dve masine imaju zajednicki kabal tako da kablovi od svih delova mreze ulaze direktno na MTRB 750 koji ima pet portova.MT dobija neku javnu dinamicku adresu od provajdera koji je prikljucen na eth1 dok su eth 2-4 stavljeni u bridge na koji je pusten dhcp server i dodeljuje adrese 192.168.0.10-20 Klijenti koji se kace na MT nemaju fiksno limitirane protoke vec samo zagarantovane u slucaju guzve tako da se link iskoristi sto je bolje moguce.

U firewallu su sledeca pravila:

ip firewall filter print

Code:
0   ;;; ICMP
     chain=input action=accept protocol=icmp
1   ;;; Established
     chain=input action=accept connection-state=established in-interface=eth1
2   ;;; Related
     chain=input action=accept connection-state=related in-interface=eth1
3   ;;; Zastita od spolja
     chain=input action=drop in-interface=eth1

ip firewall nat print

Code:
0 ;;; nat i maskarada
chain=srcnat action=masquerade out-interface=eth1

ip firewall mangle print

Code:

0   chain=forward action=mark-packet new-packet-mark=icmp passthrough=no protocol=icmp
1   chain=forward action=mark-packet new-packet-mark=ssl passthrough=no protocol=tcp dst-port=443
2   chain=forward action=mark-packet new-packet-mark=p2p passthrough=no p2p=all-p2p
3   chain=forward action=mark-packet new-packet-mark=udp-100 passthrough=no protocol=udp packet-size=0-100
4   chain=forward action=mark-packet new-packet-mark=udp-500 passthrough=no protocol=udp packet-size=100-500
5   chain=forward action=mark-packet new-packet-mark=udp-other passthrough=no protocol=udp
6   chain=forward action=mark-packet new-packet-mark=msn-messenger passthrough=no protocol=tcp dst-port=1863
7   chain=forward action=mark-packet new-packet-mark=pop3 passthrough=no protocol=tcp dst-port=110
8   chain=forward action=mark-packet new-packet-mark=smtp passthrough=no protocol=tcp dst-port=25
9   chain=forward action=mark-packet new-packet-mark=imap passthrough=no protocol=tcp dst-port=143
10   chain=forward action=mark-packet new-packet-mark=gre passthrough=no protocol=gre
11   chain=forward action=mark-packet new-packet-mark=ipsec-esp passthrough=no protocol=ipsec-esp
12   chain=forward action=mark-packet new-packet-mark=ipsec-ah passthrough=no protocol=ipsec-ah
13   chain=forward action=mark-packet new-packet-mark=ipencap passthrough=no protocol=ipencap
14   chain=forward action=mark-packet new-packet-mark=ipip passthrough=no protocol=ipip
15   chain=forward action=mark-packet new-packet-mark=Youtube passthrough=no src-address-list=Youtube
16   chain=forward action=mark-packet new-packet-mark=http passthrough=no protocol=tcp dst-port=80

Podesavanja za limit i QoS

queue simple print

Code:

0    name="Ivke" target-addresses=192.168.0.11/32 dst-address=0.0.0.0/0 interface=all parent=none direction=both
      priority=8 queue=default/default limit-at=128k/3M max-limit=700k/16M burst-limit=0/0 burst-threshold=128k/2M
      burst-time=3s/3s total-queue=default-small

1    name="Misko" target-addresses=192.168.0.12/32 dst-address=0.0.0.0/0 interface=all parent=none direction=both
      priority=8 queue=default/default limit-at=128k/3M max-limit=700k/16M burst-limit=0/0 burst-threshold=128k/2M
      burst-time=1s/1s total-queue=default

2    name="Milos" target-addresses=192.168.0.10/32 dst-address=0.0.0.0/0 interface=all parent=none direction=both
      priority=8 queue=default/default limit-at=128k/3M max-limit=700k/16M burst-limit=0/0 burst-threshold=128k/2M
      burst-time=3s/3s total-queue=default-small

3    name="Rile" target-addresses=192.168.0.13/32 dst-address=0.0.0.0/0 interface=all parent=none direction=both
      priority=8 queue=default/default limit-at=128k/3M max-limit=700k/16M burst-limit=0/0 burst-threshold=128k/2M
      burst-time=3s/3s total-queue=default-small

4    name="Sale" target-addresses=192.168.0.15/32 dst-address=0.0.0.0/0 interface=all parent=none direction=both
      priority=8 queue=default/default limit-at=128k/3M max-limit=700k/16M burst-limit=0/0 burst-threshold=128k/2M
      burst-time=3s/3s total-queue=default-small

5    name="Pera" target-addresses=192.168.0.14/32 dst-address=0.0.0.0/0 interface=all parent=none direction=both
      priority=8 queue=default/default limit-at=128k/3M max-limit=700k/10M burst-limit=0/0 burst-threshold=128k/2M
      burst-time=3s/3s total-queue=default-small

Queue three

Ono sto mene interesuje je sledece:

-Da li je ovako podesen MT ok resenje za ovakav tip mreze?
-Da li da se otarasim bridge-a pa da na svaki interface pustim zaseban DHCP server sa zajednickim adress poolom ili da sve prebacim na staticke adrese i da rucno kucam rute sobzirom da vise od ovih 6 masina nece dolaziti u mrezu?
-QOS mi je jako bitan ovde ali cini mi se da tu postoji neki problem
-Kako da izveem da mi simple queues limitiraju samo internet saobracaj dok lokalni da ostaje full 100Mbit/a.
-U principu interesuje me sve sto bi moglo da poboljsa podesavanje.

Pozdrav

[ NenadS @ 03.04.2010. 22:48 ] @

Za unlimited local dodas pravilo iznad svih target-address: 192.168.0.0/24 dst.adress: 192.168.0.0/24 ili druga opcija je da svako queue pravilo dodas i out-interface (WAN) i onda ti taj limit nece vaziti za lokalni saobracaj :)

Poz

[ Phaseshifter @ 05.04.2010. 03:36 ] @

Mogu samo reci da ovo gore podesavanje sa Simple que uopste navalja i ne radi kako treba :) Druga varijanta koju sam odradio je sa PCQ i Queues tree i markiranjem paketa chain= prerouting i queue sa parentom na global-in sto radi mnogo bolje i 90% problema reseno.

Evo ako nekome zatreba:

Code:
/ip firewall address-list
add address=208.117.224.0/24 comment="Youtube serveri" disabled=no list=Youtube
add address=208.117.225.0/24 comment="" disabled=no list=Youtube
add address=208.117.228.0/24 comment="" disabled=no list=Youtube
add address=208.117.229.0/24 comment="" disabled=no list=Youtube
add address=208.117.232.0/24 comment="" disabled=no list=Youtube
add address=208.117.234.0/24 comment="" disabled=no list=Youtube
add address=208.117.238.0/24 comment="" disabled=no list=Youtube
add address=208.65.152.0/24 comment="" disabled=no list=Youtube
add address=208.65.153.0/24 comment="" disabled=no list=Youtube
add address=208.65.154.0/24 comment="" disabled=no list=Youtube
add address=64.15.112.0/20 comment="" disabled=no list=Youtube
add address=208.117.236.0/24 comment="" disabled=no list=Youtube
add address=74.125.96.0/19 comment="" disabled=no list=Youtube
add address=84.53.128.0/18 comment=Redtube disabled=no list=Youtube
add address=87.248.192.0/19 comment=Youporn disabled=no list=Youtube
add address=216.155.128.0/19 comment=Redtube disabled=no list=Youtube
add address=208.73.208.0/21 comment="" disabled=no list=Youtube
add address=66.55.140.0/23 comment="" disabled=no list=Youtube
add address=74.125.208.0/24 comment=Youtube disabled=no list=Youtube
add address=74.125.171.0/24 comment="" disabled=no list=Youtube
add address=74.125.13.0/24 comment="" disabled=no list=Youtube

[b]Ove adrese x.x.x.x zamenite svojim lokalnim adresama[/b]

add address=x.x.x.x comment="" disabled=no list=Lan
add address=x.x.x.x comment="" disabled=no list=Lan
add address=x.x.x.x comment="" disabled=no list=Lan
add address=x.x.x.x comment="" disabled=no list=Lan
add address=x.x.x.x comment="" disabled=no list=Lan
add address=x.x.x.x comment="" disabled=no list=Lan
add address=x.x.x.x comment="" disabled=no list=Lan

Code:
/ip firewall mangle
add action=mark-connection chain=forward comment="markiranje lana" disabled=no new-connection-mark=lan-connection \
    passthrough=yes src-address-list=Lan
add action=mark-packet chain=forward comment="" connection-mark=lan-connection disabled=no new-packet-mark=lan-packet \
    passthrough=no
add action=log chain=forward comment="provera za nemarkiran saobracaj" disabled=no log-prefix=""
add action=mark-packet chain=prerouting comment=ping disabled=no new-packet-mark=ICMP passthrough=no protocol=icmp
add action=mark-packet chain=prerouting comment=dns disabled=no dst-port=53 new-packet-mark=dns-tcp passthrough=yes \
    protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=53 new-packet-mark=dns-udp passthrough=yes \
    protocol=udp
add action=mark-packet chain=prerouting comment=http connection-bytes=0-500000 disabled=no dst-port=80 new-packet-mark=\
    http-request passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment="" connection-bytes=500000-0 disabled=no dst-port=80 new-packet-mark=\
    http-down passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment=mail disabled=no dst-port=25 new-packet-mark=mail-25 passthrough=no \
    protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=110 new-packet-mark=mail-110 passthrough=no \
    protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=143 new-packet-mark=mail-143 passthrough=no \
    protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=993 new-packet-mark=mail-993 passthrough=no \
    protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=995 new-packet-mark=mail-995 passthrough=no \
    protocol=tcp
add action=mark-packet chain=prerouting comment=ftp disabled=no dst-port=21 new-packet-mark=ftp-21 passthrough=no \
    protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=22 new-packet-mark=ftp-22 packet-size=1400-1500 \
    passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment="all p2p" disabled=no new-packet-mark=p2p p2p=all-p2p passthrough=no \
    protocol=tcp
add action=mark-packet chain=prerouting comment=msn disabled=no dst-port=1863 new-packet-mark=msn-messanger passthrough=\
    no protocol=tcp
add action=mark-packet chain=prerouting comment="Video on demand" disabled=no new-packet-mark=Video passthrough=no \
    src-address-list=Youtube
add action=mark-packet chain=prerouting comment=udp disabled=no new-packet-mark=udp-100 packet-size=0-100 passthrough=no \
    protocol=udp
add action=mark-packet chain=prerouting comment="" disabled=no new-packet-mark=udp-500 packet-size=100-500 passthrough=no \
    protocol=udp
add action=mark-packet chain=prerouting comment="" disabled=no new-packet-mark=udp-500+ packet-size=500-65535 \
    passthrough=no protocol=udp
add action=mark-packet chain=prerouting comment=ssl disabled=no dst-port=443 new-packet-mark=ssl passthrough=no protocol=\
    tcp

Code:

add kind=pcq name=Youtube_down pcq-classifier=src-port,dst-port pcq-limit=20 pcq-rate=800000 pcq-total-limit=500
add kind=pcq name=All-down pcq-classifier=dst-address pcq-limit=20 pcq-rate=16000000 pcq-total-limit=500
add kind=pcq name=All-up pcq-classifier=src-address pcq-limit=20 pcq-rate=768000 pcq-total-limit=500

Code:
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name="All download" packet-mark="" \
    parent=bridge-lan priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name="Lan download" packet-mark=\
    lan-packet parent="All download" priority=8 queue=All-down
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=All-upload packet-mark="" \
    parent=eth1-sbb priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name="Lan upload" packet-mark=\
    lan-packet parent=All-upload priority=8 queue=All-up
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=QoS packet-mark="" parent=\
    global-in priority=2 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name="Prioriti 1" packet-mark="" \
    parent=QoS priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name="Prioriti 3" packet-mark="" \
    parent=QoS priority=3 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name="Prioriti 5" packet-mark="" \
    parent=QoS priority=5 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name="Prioriti 8" packet-mark="" \
    parent=QoS priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=icmp packet-mark=icmp parent=\
    "Prioriti 1" priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=dns-tcp packet-mark=dns-tcp \
    parent="Prioriti 1" priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=dns-udp packet-mark=dns-udp \
    parent="Prioriti 1" priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=http-req packet-mark=\
    http-request parent="Prioriti 1" priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=all-p2p packet-mark=p2p parent=\
    "Prioriti 8" priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name="Prioriti 7" packet-mark="" \
    parent=QoS priority=7 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=http-down packet-mark=http-down \
    parent="Prioriti 7" priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=udp-100 packet-mark=udp-100 \
    parent="Prioriti 1" priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=udp-500 packet-mark=udp-500 \
    parent="Prioriti 3" priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=udp-500+ packet-mark=udp-500+ \
    parent="Prioriti 8" priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=ssl packet-mark=ssl parent=\
    "Prioriti 1" priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=Video packet-mark=Video parent=\
    "Prioriti 7" priority=8 queue=Youtube_down
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=mail-995 packet-mark=mail-995 \
    parent="Prioriti 7" priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=mail-993 packet-mark=mail-993 \
    parent="Prioriti 7" priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=mail-110 packet-mark=mail-110 \
    parent="Prioriti 7" priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=mail-25 packet-mark=mail-25 \
    parent="Prioriti 7" priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=ftp-21 packet-mark=ftp-21 \
    parent="Prioriti 7" priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=ftp-22 packet-mark=ftp-22 \
    parent="Prioriti 7" priority=8 queue=default